Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute CryptoHistory oversimplified 1982 Cryptographic algorithms designed from scratch no proofs 2000 BC Provable security ID: 253257
Download Presentation The PPT/PDF document "Ideal Models in Symmetric Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Ideal Models in Symmetric Cryptography
Stefano Tessaro
UC Santa Barbara
Visions
of Cryptography
Weizmann InstituteSlide2
Crypto-History [oversimplified]
1982
Cryptographic
algorithms designed from scratch, no proofs, …
2000 BC
Provable security:
Security of cryptosystems formalized and proven under computational assumptions.
Amazingly successfulSlide3
The Sky is the Limit!
Encryption, signatures, multi-party computation, secure delegation, functional encryption, FHE, … Slide4
This Talk – In a Nutshell
This talk:
B
iased selection of problems which
cannot
be studied within the traditional framework of provable security.
Two high-level goals:
Leitmotif:
Security proofs are in
ideal models (e.g. random oracle model, ideal cipher model, etc.)
Survey
a set problems not as widely considered by the core theory community.
1
Thought-provoking:
Foster discussion on ideal models, and show why “we are stuck with them”.
2Slide5
Ideal Models
Cryptographic primitives
–
Set P
of valid “instances”Functions {0,1}* → {0,1
}n
Permutations {0,1}
n → {0,1
}nPairs (
f, op), where f
: Zq
→ {0,1}n, op
(f(a), f
(b)) = f(a + b)
Ideal-
P
model:
Pick P u.a.r from
P
Every algorithm (i.e., attacker, schemes) given access to
P
.
P
C
Random-oracle model
[FiaSha86,BelRog93]
Generic-group model
[Sho97]
Rationale:
Ideal primitive
P
has all security properties expected from
P
-
candidates.Slide6
Ideal Models
F
act.
[
CaGoHa98]
Security proofs in ideal models are not “sound”.
This talk.
Problems motivated by design of efficient and highly-secure constructions of symmetric cryptographic primitives (block ciphers, hash functions).
They are
only way to give “provable” answers.
Security against limited attacker class (i.e., generic attacks) is partially justified by existing cryptanalytic attacks.
Ideal models used in security proofs:
“A proof in an ideal model is better than no proof at all.”Slide7
Outline
Three selected examples:
From Weak to Strong Block Ciphers
1
Hash Functions and Key Derivation
2
Building Ideal Primitives
3Slide8
Pseudorandom Functions [
GoGoMi84]
Keyed
function
F: K × X → Y
F
R
D
D
0/1
0/1
SK
Definition.
F
(T, Q,
e
)-
PRF
:∀(T, Q)-distinguishers
D
:
Pr
[
D
→ 1|left] –
Pr
[
D
→ 1|right] <
e
x
F
(
SK,x
)
x
R
(x) = $
Q adaptive queries
Time T
Random function
R
: X
→
Y
[Typically:
e
=
negl
for T, Q = poly(k) - here we care about
concrete security
]
PRFs ⟹ efficient symmetric encryption, MACs, …Slide9
Candidates: Block Ciphers
E
M
SK
C
E
-1
C
SK
M
E.g.:
AES
, DES, 3DES, IDEA, BLOWFISH, …
|M| = |C| = n
(e.g. n = 128)
E
M’ ≠ M
SK
C’ ≠ C
For every SK: Block cipher is a
permutation
on n-bit strings
|SK| =
k
(e.g. k = 128, 256, …)Slide10
E
Pseudorandom Permutations
[LubRac85]
Block cipher
E: K × X → X
P
D
D
0/1
0/1
SK
Definition.
E
(T, Q,
e
)-
PRP
:∀(T, Q)-distinguishers
D
:
Pr
[
D
→ 1|left] –
Pr
[
D
→ 1|right] <
e.
x
E
(
SK,x
)
x
P
(x)
Random permutation
P
: X
→ X
(+,x)
(+,x)
(-,y)
(-,y)
E
-1
(
SK,y
)
P
-1
(y)
STRONG-PRPSlide11
Pseudorandom Constructions
Building PRFs / PRPs from weaker pseudorandom objects is a central problem both in theoretical and applied cryptography.
E
C
E
Important:
We always have T’ < T.
S
tandard-model provable-security:
If
E
is (T, Q,
e
)
-
PRP
then
C
is
(
T’, Q’,
e
’
)
-
PRF
,
where T
’ ≈ T
Example.
PRF from PRP
PRP
PRF?
Slide12
Our Problem: From Weak to Strong Ciphers
Block-cipher design paradigm:
Design
weak
component
Iterate weak component multiple times
Sequential composition of weak ciphers
Used for 3DES, where E
= DES is insecure (widespread in the electronic payment sector)
M
E
K
1
E
K
2
E
K
3
C
DES
best
attack: 2
42
3DES
best
attack: 2
90
Expectation:
Breaking construction strictly harder than breaking component
Hope: T’ > T! Cannot show this in the standard model under any reasonable assumption on
E
…
Slide13
Amplification of Generic Security
M
E
K
1
E
K
2
E
K
3
C
“Generic” Security Amplification:
Prove that there is no generic attack – treating
E
as a black-box – which breaks sequential composition with complexity less than T’ >> 2
k
.
Observation.
(Exhaustive key search)
E
can always be distinguished with 2
k
computation and Q =
O
(k/n) queries. Slide14
The Ideal Cipher Model
[Sha49]
∀SK
∈ {
0,1}
k: ESK
uar from the set of all permutations {0,1}n
→ {0,1}n
(+,
SK
, M)
IC
C
P
IC
D
D
0/1
0/1
IC
E
SK
(
M)
(-,
SK
, C)
E
SK
-
1
(C)
Q
C
queries
Q
P
queries
SK
Definition.
C
is (Q
C
, Q
P
,
e
)-
strong PRP
if
∀(Q
C
,
Q
P
)-distinguishers
D
:
Pr
[
D
→ 1|left] –
Pr
[
D
→ 1|right] <
e
(+,
SK
, M
), (-, SK , C)
(+,
M), (-, C)
Two query types:
Primitive queries
⟹
“
Local”
computation
Construction
queries
⟹ Key
-dependent access to
primitiveSlide15
The General Problem
IC
C
P
IC
D
D
0/1
0/1
SK
Problem.
Find efficient
C
which is a (
Q
C
, Q
P
,
e =
negl
)-strong PRP for Q
C
, Q
P
both as large as possible
.
Q
C
≤
2
n
Q
P
< 2
n + kSlide16
Two-fold Sequential Composition
E
E
SK
1
SK
2
IC
EE
SK
1
, SK
2
(+, x)
(+, SK
1
, x)
y
(+, SK
2
,
y
)
z
z
x
y
zSlide17
Two-fold Sequential Composition
E
E
SK
1
SK
2
IC
EE
SK
1
, SK
2
D
Meet-in-the-middle attack:
[DifHel76]
z
←
C
(+,
x
)
∀SK’
1
: y[SK’
1
] ←
IC
(+, SK’
1
,
x
)
∀SK’
2
:
y’[SK’
2
] ←
IC
(-, SK’
2
,
z
)
If
∃SK’
1
, SK’
2
: y[SK’
1
] = y[SK’
2
]
then
output
1
Else
output
0
x
z
SK’
1
y[SK’
1
]
y
’[
SK
’
2
]
SK’
2
Fact 1.
Pr
[D → 1|left]
= 1
0/1
Fact 2.
If k < n/2:
Pr
[D → 1
|right] < 1/2
PSlide18
DESX [
Rivest
, 1984
]
E
SK
SK
2
SK
1
Theorem:
[KilRog01]
DESX
is a (Q
C
, Q
P
,
e =
neg
l
)-strong PRP
if Q
C
* Q
P
< 2
n + k
.
Result meaningful even when k = 0
[EveMan96]
Proof succeeds even if SK
1
= SK
2
[DunKelSha11
]
Essentially optimal for one-call constructions
[GazTes12]Slide19
3DES
E
SK
1
E
SK
2
E
SK
3
Caveat:
If Q
C
approaches 2
n
, then
distinguishable with Q
P
=
2
k
queries
.
Theorem:
[BelRog06,GazMau10]
3DES
is a (Q
C
, Q
P
,
e =
neg
l
)-strong PRP as long as Q
C
≤ 2
n
and Q
P
< 2
n/2 + k
.
Alternative:
Back to sequential
composition
! (used in 3DES)Slide20
3DES – Proof Approach
p
p
1
p
2
p
K
p
p
1
p
i
p
K
p
j
p
k
For random
i
, j, k:
p
i,
p
j
p
k
= p
…
…
…
…
…
K = 2
k
Lemma.
Hard to distinguish with fewer than 2
k + n/2
queries.Slide21
Beyond Length 3
E
SK
1
E
SK
2
E
SK
l
Expectation:
Security increases with l.
Theorem.
[
Lee13
]
Security
for Q
P
→
2
k + min{
k,n
}
when
l
→∞. Slide22
Increasing Efficiency [GazTes12]
E
SK
SK’’
E
Theorem:
[GazTes12]
2XOR-Cascade
is a (Q
C
, Q
P
,
e =
neg
l
)-strong PRP
if Q
C
≤ 2
n
and Q
P
<
2
k + n/2
.
SK’
[Same security as 3DES, one block cipher call less]Slide23
XOR Cascades
E
SK
1
E
SK
2
E
SK
l
SK’
1
SK’
2
SK’
3
SK’
l
SK’
l
+ 1
Theorem.
[LPS12,
Lee13
,Gaz13,CheSte13]
Security
for
Q
P
→
2
k + n
when
l →∞.
Optimal!Slide24
Outline
Three selected examples:
From Weak to Strong Block Ciphers
1
Hash Functions and Key Derivation
2
Building Ideal Primitives
3Slide25
Hash Functions
Example:
Block-cipher based hash-
functions
[PGV93]
Practical hash-function constructions are usually only analyzed in ideal models.
Goal:
Optimize concrete security / # calls tradeoff for standard security properties [Hundreds of papers!]
E
X
Y
Z
H
(X, Y) = ZSlide26
Key-Derivation Functions
Goal:
Derive secret-key from low-entropy secret (e.g., password) – PKCS#5 standard
…
H
H
H
Randomly chosen per KDF evaluation
pw ||
salt
S
K
Expectations:
Time to break
should increase linearly
with iteration length.
Time to break
should increase linearly
with
number of independent instances.
Theorem.
[BeRiTe12]
Expectations are true for KDFs from the PKCS#5
standard
(in the ROM).Slide27
Outline
Three selected examples:
From Weak to Strong Block Ciphers
1
Hash Functions and Key Derivation
2
Building Ideal Primitives
3Slide28
So far:
Construction
C
of a primitive Q from a primitive
P achieving specific goal,
with security proof in ideal-P model.
Most ambitious
goal.
Construction C(.) using ideal primitive
P s.t. C(P) “as good as” ideal primitive
Q.“If an application is secure in the ideal-
Q model, then it is secure in the ideal-P model, where calls to
Q are replaced by calls to C(P).”Slide29
Indifferentiability [MaReHo04]
P
C
Q
SIM
D
D
0/1
0/1
Definition.
C
(Q
C
, Q
P
,
e
)-
indifferentiable
: ∃(efficient) SIM∀
D
:
Pr
[
D
→ 1|left] –
Pr
[
D
→ 1|right] <
e
[Typically: efficient = poly(
Q
C
,
Q
P
),
e
=
negl
(k)]
Keyless, deterministic constructionSlide30
Composability
[MaReHo04]
G
Q
0/1
P
C
G
0/1
Arbitrary security game
G
Pr
[
G
→
1|
Q
] =
negl
Pr
[
G
→
1|
C
(
P
)] = ?
Indifferentiability
⟹
Pr
[
G
→ 1|
C
(
P
)] =
negl
SIMSlide31
Indifferentiability Constructions
Literature on
indifferentiability
encompasses by now
hundreds of papers
Standard security notion for hash function constructions (e.g., in SHA-3 competition) “Hash
function has all security properties of a random oracle.”
E
IV
M
1
E
M
2
E
M
l
truncate
Theorem.
[CDMP05]
Construction is
indifferentiable
from a random oracle in the ideal-cipher model.
Typical example
.
Random oracles from ideal ciphersSlide32
Ideal Ciphers from Random Oracles
Theorem.
[
HoKuTe11
] 14-round Feistel is indifferentiable
from a random permutation.
F
1
F
2
F
14
Much more complex than converse.
[CoPaSe08]Slide33
Indifferentiability Constructions
R
andom oracles from fixed input-length random
oracles with optimal security
[…, MauTes07
,…,DodSte11,…]Other constructions
Ideal ciphers from random permutations
[ABDMS13,LamSeu13]
Leads to interesting questions about expander graphs.Slide34
Multi-Stage Games
G
1
Q
0/1
G
2
Examples:
Deterministic encryption
Leakage resilience
…
Observation.
[RSS11]
Indifferentiability
does not imply composition for multi-stage games.Slide35
Multi-Stage Games
New
Goal:
Find good
indifferentiability
-like notions with composition properties for multi-stage games.
Reset
indifferentiability
[RSS11]: Distinguisher is allowed to reset simulator.
Reset indifferentiability sufficient for secure composition in the multi-stage setting.
Many impossibility results: Traditional indifferentiability results are impossible for reset
indifferentiability [DGHM13,BBM13,…]
…Slide36
Conclusions
Ideally
, we would like to avoid ideal models.
A large number of relevant security questions can
only be answered using ideal-model security proofs
.
Ideal models give rise to a rich area of works with interesting theoretical questions
.Slide37
Thank you!Slide38
DESX – Proof Idea
Extend the ideal world:
IC
D
P
1
Transcript:
T
C
= {
(w, z
)}, size
Q
C
T
P
= {(SK’, x, y
)}, size QP
E
SK
SK
2
SK
1
2
Random
SK, SK
1
, SK
2
D
wins if
∃
(w,*)
∈
T
C
:
(SK
, w ⊕
SK
1
, *)
∈
T
P
∃
(*,z
)
∈
T
C
:
(SK
,
*, z
⊕
SK
2
)
∈
T
P
Lemma 1:
e
≤
Pr
[
D
wins]
Lemma 2:
Pr
[
D
wins] ≤ 2
Q
C
Q
P
/ 2
n + k